For my private blog I use logins for all visitors. However, security is not of utmost importance therefore I would like to prolong session times for quite some time. In my optimal scenario it should be linked to the last time somebody has accessed the site (login expires 1 week after last visit).
I tried the following in my config.php (from: Forum):
s::$timeout = 60*24*30; // thirty days of session validity like in the Panel
s::$cookie['lifetime'] = 9999999; // don't let the cookie ever expire
I can see that cookie lifetimes are set accordingly.
Nonetheless I still have to login every few hours…
Running it on my own “internet facing” raspberry pi, apache2.
Uptime is 17 days. I am not aware of any tmp cleaning. However there do no seem to be any temporary files in /tmp from Apache.
Addition:
Shouldn’t the cookies (on the client) computer not make sure, that even if a session on the server expires, the client still keeps logged in?
No, a session cookie only contains the session ID, which is worthless if the session data for that ID is deleted on the server. To make the cookie work without needing to store anything on the server, you would need to save the username and password in the cookie (don’t do that as it will be stored in plain text).
What is the PHP option session.save_path set to on your RPi? You can find it on a phpinfo() page.
On Ubuntu it’s most likely the session.gc_maxlifetime option. Please see this tutorial on increasing this value. However please note that you shouldn’t increase it too much, otherwise you will have a lot of old session files on your server.
I’ve changed the value to 1 hour. I just had a user that was logged in and 2 minutes after his login, he was logged out.
Just a random thought: could it be related to me using Cloudflare? Some users will get the same IP (from cloudflare servers) and the other one will be logged out? Not sure if it’s working like this.